HIPAA Compliance for Orthopedic Practices: Imaging and Surgical Records

Orthopedics is an imaging- and surgery-heavy specialty, and that is exactly where its HIPAA risk concentrates. A typical orthopedic encounter generates X-rays, and often MRI or CT studies, stored as DICOM files in a PACS (picture archiving and communication system) — large, identity-rich records that move between the practice, imaging centers, surgical facilities, and outside specialists. Add operative reports, implant and device tracking, intraoperative photos and video, and the device-manufacturer representatives who are often present in the OR, and you have a data environment far more distributed than a primary-care office. Protecting imaging and surgical PHI as it moves among all these parties is the defining HIPAA challenge for orthopedics.

PACS, DICOM, and imaging exposure

Medical images are PHI: DICOM files embed the patient’s name, date of birth, and accession details directly in the file metadata, so an “anonymous” image is rarely anonymous. PACS and imaging systems need the same access controls, encryption, and audit logging as the EHR, and any cloud image-storage or image-sharing service you use is a business associate that requires a Business Associate Agreement. Practices that share studies with referring physicians or ambulatory surgery centers should confirm those transfers are encrypted, not sent as unprotected email attachments.

Surgical records, implants, and OR access

Operative documentation, implant logs, and device-tracking data tie specific hardware to specific patients — information that must be safeguarded like any other PHI. Orthopedic surgery also brings non-employees into contact with patient information: device-company representatives in the operating room, surgical-assist vendors, and ambulatory surgery centers all may see or handle PHI. Each relationship needs to be evaluated, and where a vendor handles PHI on your behalf, a Business Associate Agreement must be in place and access limited to the minimum necessary.

The Security Risk Analysis

The HIPAA Security Rule requires a Security Risk Analysis under 45 CFR § 164.308(a)(1)(ii)(A) — a thorough assessment of risks to all electronic PHI. For an orthopedic practice, that analysis has to include the PACS and imaging systems, not just the EHR, along with image-sharing services, the surgical scheduling and documentation platforms, and the vendors that connect to them. Leaving imaging systems out of the SRA is one of the most common gaps OCR finds in imaging-intensive specialties. Working from a HIPAA compliance checklist helps ensure every system is accounted for.

The proposed 2026 Security Rule update

In December 2024, HHS published a Notice of Proposed Rulemaking to strengthen the Security Rule, proposing mandatory encryption, multi-factor authentication, network segmentation, and more rigorous risk analyses. The rule is not final — it is still working through the rulemaking process — and if finalized as proposed, organizations would have roughly 240 days from the effective date to comply. Because imaging systems and large DICOM archives are storage- and bandwidth-intensive, encryption and segmentation requirements would have a real operational impact, making early planning worthwhile.

How Medcurity helps

Medcurity helps orthopedic practices run a guided Security Risk Analysis that captures their full imaging and surgical footprint — PACS, image-sharing tools, surgical platforms, and the vendors behind them — while tracking Business Associate Agreements and keeping documentation audit-ready. The platform is $499/year (about $42/month) for a single practice, and larger orthopedic groups and surgery centers can request a quote. It gives a distributed, imaging-heavy practice a single clear view of where its PHI lives and how it’s protected.

Frequently asked questions

Are medical images like X-rays and MRIs considered PHI?

Yes. DICOM image files embed identifiers such as the patient’s name and date of birth in their metadata, so they are protected health information. PACS and image-sharing systems must have the same encryption, access controls, and audit logging as your EHR.

Is our PACS or cloud imaging vendor a business associate?

If the vendor stores, transmits, or otherwise handles your patients’ images on your behalf, yes — it is a business associate and requires a Business Associate Agreement. That includes cloud PACS, image-sharing portals, and teleradiology services.

How should we share imaging studies with referring physicians and surgery centers?

Through encrypted channels — secure image-exchange platforms or encrypted transfer — never as unprotected email attachments. The receiving party should be authorized to view only the minimum necessary information for the patient’s care.

Do device representatives in the OR create HIPAA obligations?

They can. When a device or surgical-assist vendor’s representative accesses patient information as part of providing services, that vendor may be a business associate requiring a Business Associate Agreement, and access should be limited to the minimum necessary.